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C\ ' Abstract 

|~T^ I In this paper we show that certain special cases of the hidden subgroup problem can be solved 

in polynomial time by a quantum algorithm. These special cases involve finding hidden normal 
subgroups of solvable groups and permutation groups, finding hidden subgroups of groups with 
small commutator subgroup and of groups admitting an elementary Abelian normal 2-subgroup 
J> ' of small index or with cyclic factor group. 
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1 Introduction 



A growing trend in recent years in quantum computing is to cast quantum algorithms in a group 
theoretical setting. Group theory provides a unifying framework for several quantum algorithms, 
clarifies their key ingredients, and therefore contributes to a better understanding why they can, 
in some context, be more efficient than the best known classical ones. 

The most important unifying problem of group theory for the purpose of quantum algorithms 
turned out to be the hidden subgroup problem (HSP) which can be cast in the following broad 
terms. Let G be a finite group (given by generators), and let H be a subgroup of G. We are given 
(by an oracle) a function / mapping G into a finite set such that / is constant and distinct on 
different left cosets of H, and our task is to determine the unknown subgroup H. 
^ . While no classical algorithm is known to solve this problem in time faster than polynomial 

in the order of the group, the biggest success of quantum computing until now is that it can be 
solved by a quantum algorithm efficiently, which means in time polynomial in the logarithm of the 
order of G, whenever the group is Abelian. The main tool for this solution is the (approximate) 
quantum Fourier transform which can be efficiently implemented by a quantum algorithm fLTfl . 
Simon's algorithm for finding an xor-mask pfj], Shor's seminal factorization and discrete logarithm 



finding algorithms [25], Boneh and Lipton's algorithm for finding hidden linear functions || are 



all special cases of this general solution, as well as the algorithm of Kitaev [17] for the Abelian 
stabilizer problem, which was the first problem set in a general group theoretical framework. That 
all these problems are special cases of the HSP, and that an efficient solution comes easily once 
an efficient Fourier transform is at our disposal, was realized and formalized by several people, 
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including Brassard and H0yer 0, Mosca and Ekert 22] and Jozs a []i~5f . An excellent description of 
the general solution can be found for example in Mosca's thesis [ gjj . 

Addressing the HSP in the non-Abelian case is considered to be the most important challenge 
at present in quantum computing. Beside its intrinsic mathematical interest, the importance of this 
problem is enhanced by the fact that it contains as special case the graph isomorphism problem. 
Unfortunately, the non-Abelian HSP seems to be much more difficult than the Abelian case, and 
although considerable efforts were spent on it in the last years, only limited success can be reported. 
Rotteler and Beth p4|] have presented an efficient quantum algorithm for the wreath products 
Z| 2 Z 2 . In the case of the dihedral groups, Ettinger and H0yer || designed a quantum algorithm 
which makes only 0(log|G|) queries. However, this doesn't make their algorithm efficient since 
the (classical) post-processing stage of the results of the queries is done in exponential time in 
0(log|G|). Actually, this result was extended by Ettinger, H0yer and Knill in the sense 
that they have shown that in any group, with only 0(log|G|) queries to the oracle, sufficiently 
statistical information can be obtained to solve the the HSP. However, it is not known how to 
implement efficiently these queries, and therefore even the "quantum part" of their algorithm is 
remaining exponential. Hallgren, Russel and Ta-Shma proved that the generic efficient quantum 
procedure for the HSP in Abelian groups works also for non-Abelian groups to find any normal 
subgroup, under the condition that the Fourier transform on the group can efficiently be computed. 
Grigni, Schulman, Vazirani and Vazirani could show that the HSP is solvable efficiently in groups 
where the intersection of the normalizers of all subgroups is large [12|. A recent survey on the 
status of the non-Abelian HSP problem was realized by Jozsa |l6f| . 

In a somewhat different line of research, recently several group theoretical problems have been 
considered in the context of black-box groups. The notion of black-box groups has been introduced 
by Babai and Szemeredi in |Q] . In this model, the elements of a group G are encoded by words over 
a finite alphabet, and the group operations are performed by an oracle (the black box). The groups 
are assumed to be input by generators, and the encoding is not necessarily unique. There has 
been a considerable effort to develop classical algorithms for computations with them [||, [|, ^(J , for 
example to identify the composition factors (especially the non-commutative ones). Efficient black- 
box algorithms give rise automatically to efficient algorithms whenever the black-box operations can 
be replaced by efficient procedures. Permutation groups, matrix groups over finite fields and even 
finite matrix groups over algebraic number fields fit in this model. In particular, Watrous |^] nas 
recently considered solvable black-box groups in the restricted model of unique encoding, and using 
some new quantum algorithmical ideas, he could construct efficient quantum algorithms for finding 
composition series, decomposing Abelian factors, computing the order and testing membership in 
these groups. 

In this paper we will focus on the HSP, and we will show that it can be solved in polynomial 
time in several black-box groups. In particular, we will present efficient quantum algorithms for 
this problem for groups with small commutator subgroup and for groups having an elementary 
Abelian normal 2-subgroup of small index or with cyclic factor group. Our basic ingredient will be 
a series of deep algorithmical results of Beals and Babai from classical computational group theory. 
Indeed, in @ they have shown that, up to certain computationally difficult subtasks - the so-called 
Abelian obstacles - such as factoring integers and constructive membership test in Abelian groups 
many problems related to the structure of black-box groups, such as finding composition series, can 
be solved efficiently for groups without large composition factors of Lie type, and in particular, for 
solvable groups. As quantum computers can factor integers and take discrete logarithms, and, more 
generally, perform the constructive membership test in Abelian groups efficiently, one expects that 
a large part of the Beals-Babai algorithms can be efficiently implemented by quantum algorithms. 



2 



Indeed, the above results of Watrous partly fulfill this task, although his algorithms are not using 
the Beals-Babai algorithms. Here we will describe efficient quantum implementations of some of 
the Beals-Babai algorithms. It turns out, that beside paving the way for solving the HSP in the 
groups mentioned previously, these implementations give also almost "for free" efficient solutions 
for finding hidden normal subgroups in many cases, including solvable groups and permutation 
groups. 

The rest of the paper is structured as follows. In Section 2 we review the necessary definitions 
about black-box groups in the quantum computing framework, and will summarize the most impor- 
tant results about Abelian and solvable groups. In Section 3 we state the result of Beals and Babai 
and Corollary |H| which makes explicit two hypotheses (disposability of oracles for order computing 
and for constructive membership test in elementary Abelian subgroups) under which the algorithms 
have efficient quantum implementations. Section 4 deals with these quantum implementations in 
the following cases: unique encoding (Theorem modulo a hidden normal subgroup (Theorem 
0) and modulo a normal subgroup given by generators in case of unique encoding (Theorem |To[ ). 
As a consequence, we can derive the efficient quantum solution for the normal HSP in solvable and 
permutation groups without any assumption on computability of noncommutative Fourier trans- 
forms (Theorem pi). Section 5 contains the efficient algorithm for the HSP for groups with small 



commutator subgroup (Theorem 11), and Section 6 for groups having an elementary Abelian 



normal 2-subgroup of small index or with cyclic factor group (Theorem 13 



2 Preliminaries 

In order to achieve sufficiently general results we shall work in the context of black-box groups. 
We will suppose that the elements of the group G are encoded by binary strings of length n for 
some fixed integer n, what we call the encoding length. The groups will be given by generators, 
and therefore the input size of a group is the product of the encoding length and the number of 
generators. Note that the encoding of group elements need not to be unique, a single group element 
may be represented by several strings. If the encoding is not unique, one also needs an oracle for 
identity tests. Typical examples of groups which fit in this model are factor groups G/N of matrix 
groups G, where N is a normal subgroup of G such that testing elements of G for membership 
in N can be accomplished efficiently. Also, every binary string of length n does not necessarily 
corresponds to a group element. If the black box is fed such a string, its behavior can be arbitrary 
on it. 

Since we will deal with black-box groups we shall shortly describe them in the framework of 



quantum computing (see also [21 or f27|| ). For a general introduction to quantum computing the 
reader might consult [|13| or [ 23 1 . We will work in the quantum Turing machine model. For a group 
G of encoding length n, the black-box will be given by two oracles Uq and its inverse Uq 1 , both 
operating on 2n qubits. For any group elements g,h £ G, the effect of the oracles is the following: 

U G \g)\h) = \g)\gh), 

and 

U G 1 \g)\h) = \g)\g- 1 h). 

The quantum algorithms we consider might make errors, but the probability of making an error 
should be bounded by some fixed constant < e < 1/2. 

Let us quote here two basic results about quantum group algorithms respectively in Abelian 
and in solvable black-box groups. 
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Theorem 1 (Cheung and Mosca (8|]). Assume thatG is an Abelian black-box group with unique 
encoding. Then the decomposition of G into a direct sum of cyclic groups of prime power order can 
be computed in time polynomial in the input size by a quantum algorithm. 



Theorem 2 (Watrous [ ^7|| ). Assume that G is a solvable black-box group with unique encoding. 
Then computing the order of G and testing membership in G can be solved in time polynomial in 
the input size by a quantum algorithm. Moreover, it is possible to produce a quantum state that 
approximates the pure state \G) = | C | 1 / 2 YlgeG \d) w ^ accuracy e (in the trace norm metric) in 
time polynomial in the input size + log(l/e). 

When we address the HSP, we will suppose that a function / : {0, l} n — ► {0, l} m is given by 
an oracle, such that for some subgroup H < G the function / is constant on the left cosets of H 
and takes different values on different cosets. We will say that / hides the subgroup H. The goal 
is to find generators for H in time polynomial in the size of G and m, that is we assume that m 
is also part of the input in unary. The following theorem resumes the status of this problem when 
the group is Abelian. 

Theorem 3 (Mosca |pl||). Assume that G is an Abelian black-box group with unique encoding. 
Then the hidden subgroup problem can be solved in time polynomial in the input size by a quantum 
algorithm. 



3 Group algorithms 

In H Beals and Babai described probabilistic Las Vegas algorithms for several important tasks 
related the structure of finite black-box groups. In order to state their result, we will need some 
definitions, in particular the definition of the parameter v{G), where G is any group. 

Let us recall that a composition series of a group G is a sequence of subgroups G = G\ o G2 > 
. . . >Gt = 1 such that each Gi + \ is a proper normal subgroup in G L , and the factor groups Gj/Gj+i 
are simple. The factors Gi/Gi+i are called the composition factors of G. It is known that the 
composition factors of G are - up to order, but counted with multiplicities - uniquely determined 
by G. Beals and Babai define the parameter v(G) as the smallest natural number u such that every 
non-Abelian composition factor of G possesses a faithful permutation representation of degree at 
most v. 

By definition, for a solvable group G the parameter v{G) equals 1. Also, representation-theoretic 



results of [11] and |y| imply that v(G) is polynomially bounded in the input size in many important 
special cases, such as permutation groups or even finite matrix groups over algebraic number fields. 

The constructive membership test in Abelian subgroups is the following problem. Given pairwise 
commuting group elements hi, ■ ■ ■ , h r , g of a non necessarily commutative group, either express g as 
a product of powers of the h^s or report that no such expression exists. Babai and Szemeredi have 
shown in Q that under some group operations oracle this problem cannot be solved in polynomial 
time by classical algorithms. This test is usually required only for elementary Abelian groups, that 
is groups which are isomorphic to Z™ for some prime p and integer n. 

We can now quote part of the main results of || . 

Theorem 4. (Beals and Babai |5j, Theorem 1.2) Let G be a finite black-box group with not 
necessarily unique encoding. Assume that the followings are given: 

(a) a superset of the primes dividing the order of G, 
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(b) an oracle for taking discrete logarithms in finite fields of size at most \G\, 

(c) an oracle for the constructive membership tests in elementary Abelian subgroups of G. 

Then the following tasks can be solved by Las Vegas algorithms of running time polynomial in the 
input size + v{G): 

(i) test membership in G, 

(ii) compute the order of G and a presentation for G, 
(Hi) find generators for the center of G, 

(iv) construct a composition series G = G\ \> G2 t> • • • > Gt = 1 for G, together with nice repre- 
sentations of the composition factors Gi/Gi+i, 

(v) find Sylow subgroups of G. 

A presentation of G is a sequence g\, . . . ,g s of generator elements for G, together with a set of 
group expressions in variables xi,. . . ,x s , called the relators, such that gi, . . . ,g s generate G and 
the kernel of the homomorphism from the free group F(x\, . . . , x s ) onto G sending X{ to gi is the 
smallest normal subgroup of F(x\, . . . ,x s ) containing the relators. We remark that the generators 
in the presentation may differ from the original generators of G. 

A nice representation of a factor Gi/Gi+i means a homomorphism from Gi with kernel Gi+i 
to either a permutation group of degree polynomially bounded in the input size + v{G) or to Z p 
where p is a prime dividing \G\. Of course, if G is solvable one can insist that the representations 
of all the cyclic factors be of the second kind. 

It turns out that for some of the tasks in the hypotheses of Theorem Q there are efficient 
quantum algorithms. By Shor's results |[25|| , the oracle for computing discrete logarithms can be 
implemented by a polynomial time quantum algorithm. Also, a superset of the primes dividing 
|G| can be obtained in polynomial time by quantum algorithms in the most natural cases. For 
example, if G is a matrix group over a finite field, say G < GL(n,q) then such a superset can be 
obtained by factoring the number (q n — l)(q n — <?)••• (q n — q n_1 ), the order of the group GL(n, q). 
The same method works even for factors of matrix groups over finite fields. If G is (a factor of) a 
finite matrix group of characteristic zero, then the situation is even better because in that case the 
prime divisors of G are of polynomial size. But in any case, one can note that the superset of the 
primes dividing the order of G is only used in Theorem ||] to compute (and factorize) the orders of 
elements of G as well as those of matrices over finite fields of size at most \G\. This latter task can 
also be achieved by a quantum algorithm in polynomial time. 

In addition, we remark that the algorithm for testing membership can be understood in a 
stronger, constructive sense, (see Section 5.3 in 0), which is the proper generalization of the 
constructive membership test in the Abelian case. For this we need the notion of a straight line 
program on a set of generators. This is a sequence of expressions e\, . . . , e s where each ej is either 
of the form Xi := h where h is a member of the generating set or of the form X 1 — X j X k where 
< j, k < i. It turns out that for elements g of G one can also require that a straight line program 
expressing g in terms of the generators be returned. Therefore, one can immediately derive from 
Theorem || the following result. 

Corollary 5. Let G be a finite black-box group with not necessarily unique encoding. Assume that 
the following are given: 
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(a) an oracle for computing the orders of elements of G, 

(b) an oracle for the constructive membership tests in elementary Abelian subgroups of G. 

Then the following tasks can be solved by quantum algorithms of running time polynomial in the 
input size + v(G): 

(i) constructive membership test in G, 

(ii)-(v) as in Theorem^. 

4 Quantum implementations 

In this section we will discuss several cases when the remaining tasks in the hypotheses of Corollary [| 
can also be efficiently implemented by quantum algorithms. 

4.1 Unique encoding 

If we have a unique encoding for the elements of the black-box group G then we can use Shor's order 
finding method. As we will show, in that case there is also an efficient quantum algorithm for the 
constructive membership test in elementary (and non-elementary) Abelian subgroups. Therefore 
we will get the following result. 

Theorem 6. Assume that G is a black-box group with unique encoding. Then, each of the tasks 
listed in Corollary can be solved in time polynomial in the input size + v{G) by a quantum algo- 
rithm. . 

Proof. Let us prove that task (b) in Corollary ||can be solved efficiently by a quantum algorithm. In 
fact, we can reduce the test to an instance of the Abelian hidden subgroup problem as follows. First, 
we compute the orders of the underlying elements (see pi] for example). Let the orders of hi, . . . , h r 
and g be si, . . . , s r and s, respectively. Then for a tuple (a±, . . . , a r , a) from Z Sl x • • • x Z Sr x Z s , set 
4>(ai, . . . , a r , a) = h" 1 ■ ■ ■ h" r g~ a . Clearly ^ is a homomorphism from 7L Sl x • • • x Z Sr x Z s into G, 
therefore this is an instance of the Abelian hidden subgroup problem, and its kernel can be found 
in polynomial time by a quantum algorithm. The kernel contains an element the last coordinate of 
which is relatively prime to s if and only if g is representable as a product of powers of h^s. Also, 
from such an element an expression for g in the desired form can be constructed efficiently. □ 

This result generalizes the order finding algorithm of Watrous (Theorem |2| in [27]) for solvable 
groups. Also note that, even if G is solvable, the way how quantum algorithms are used here is 
slightly different from that of Watrous. 



4.2 Hidden normal subgroup 

Assume now that G is a black-box group with an encoding which is not necessarily unique, and N 
is a normal subgroup of G given as a hidden subgroup via the function /. We use the encoding of G 
for that of G/N. The function / gives us a secondary encoding for the elements of G/N. Although 
we do not have a machinery to multiply elements in the secondary encoding, Shor's order-finding 
algorithm and even the treatment of the constructive membership test outlined above are still 
applicable. 
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Theorem 7. Assume that G is a black-box group with not necessarily unique encoding. Suppose 
that N is a normal subgroup given as a hidden subgroup of G. Then all the tasks listed in Corollary^ 
for G/N can be solved by quantum algorithms in time polynomial in the input size + u(G/N). 

Proof. The proof is similar to the one of Theorem |6|, where 4>(a±, . . . , a r , a) = /(/i" 1 • • • h^ r g~ a ) is 
taken. □ 

Let us now turn back to the original hidden subgroup problem. We are able to solve it completely 
when the hidden subgroup is normal. Note that Hallgren Russell and Ta-Shma [|l4|] have already 
given a solution for that case under the condition that one can efficiently construct the quantum 
Fourier transform on G. The algorithm presented here does not require such a hypothesis. 

Theorem 8. Assume that G is a black-box group with not necessarily unique encoding. Suppose 
that N is a normal subgroup given as a hidden subgroup of G. Then generators for N can be found 
by a quantum algorithm in time polynomial in the input size + v{G/N). In particular, we can find 
hidden normal subgroups of solvable black-box groups and permutation groups in polynomial time. 

Proof. We use the presentation of G/N obtained by the algorithm of Theorem to find generators 
for N. Let T be the generating set from the presentation. If T generates G then it is easy to find 
generators for N . Let Rq denote the set of elements obtained by substituting the generators in T 
into the relators, and let Nq stand for the normal closure (the smallest normal subgroup containing) 
of #0- Then N = N since N < N and G/N = G/N by definition of T and R . 

Still some care has to be taken since it is possible that T generates G only modulo N, that is 
it might generate a proper subgroup of G. Therefore some additional elements should be added to 
Rq. Let S be the generating set for G. Using the constructive membership test for G/N, we express 
the original generators from S modulo N with straight line programs in terms of the elements of T. 
For each element x £ S we form the quotient y _1 x where y is the element obtained by substituting 
the generators from T into the straight line program for x modulo N. Let So be the set of all the 
quotients formed this way. Note that T and So generate together G. Then one can verify that the 
normal closure of Rq U Sq in G is N. 

Thus, from Rq and So we can find generators for N in time polynomial in the input size+v(G/N) 
using the normal closure algorithm of H]. We obtained the desired result. □ 

4.3 Unique encoding and solvable normal subgroup 

We conclude this section with some results obtained as combination of the ideas presented above 



with those of Watrous described in [27|. Assume that the encoding of the elements of G is unique 
and a normal solvable subgroup N of G is given by generators. We use the encoding of G for that of 
G/N. The identity test in G/N can be implemented by an efficient quantum algorithm for testing 
membership in iV due to Watrous (Theorem ^). We are also able to produce (several copies of) the 
uniform superposition \N) = X^gjv \ x ) efficiently. For solvable subgroups N, we can again 



apply the result of Watrous (Theorem g) to produce \N) in polynomial time. We will now show 
that having sufficiently many copies of \N) at hand, we can use ideas of Watrous for computing 
orders of elements of G/N and even for performing the constructive membership test in Abelian 
subgroups of G/N. Thus, we will have an efficient quantum implementation of the Beals-Babai 
algorithms for G/N. We will first state a lemma which says that we can efficiently solve the HSP 
in an Abelian group if we have an appropriate quantum oracle. 

Lemma 9. Let A be an Abelian group, and let X be a finite set. Let H < A, and let f : A — > 
(given by an oracle) such that: 
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1. For every g £ A, \f(g)) is a unit vector, 

2. f is constant on the left cosets of H, and maps elements from different cosets into orthogonal 
states. 

Then there exists a polynomial time quantum algorithm for finding the hidden subgroup H. 

Proof. First we extend naturally / to G/H: on a coset of H, it takes the value f{h) for an arbitrary 
member h of the coset. The algorithm is the standard quantum algorithm for the Abelian hidden 
subgroup problem. We repeat several times the following steps to find a set of generators for H. 

• Prepare the initial superposition: |lc)|O m ). 

• Apply the Abelian quantum Fourier transform in A on the first register: X^geA lff)|O m )- 
. Call/: Z 9 eA Iff) !/(<?)>• 

• Apply again the Fourier transform in A: T.geA/H^heH 1 - Xh(g)\h)\f(g)) ■ 

• Observe the first register. 

By hypothesis, the states | /(<?)} are orthogonal for distinct g £ A/H, therefore an observation of 
the first register will give a uniform probability distribution on H . After sufficient number of 
iterations, this will give a set of generators for if , which leads then to a set of generators for H. 

Note that in the above steps it is sufficient to compute only the approximate quantum Fourier 
transform on A which can be done in polynomial time. □ 



Theorem 10. Assume that G is a black-box group with a unique encoding of group elements. 
Suppose that N is a normal subgroup given by generators. Assume further that N is either solvable 
or of polynomial size. Then all the tasks listed in Corollary^ for G/N can be solved by a quantum 
algorithm in running time polynomial in the input size + v(G/N). 

Proof. For applying Corollary [|, one has to verify that we can perform tasks (a)-(b) of the corollary. 
If N is of polynomial size, it is trivial. Therefore we suppose that N is solvable. We will closely 



follow the approach indicated by Watrous in [27] for dealing with factor groups 



First, let g £ G. To compute the order of g in G/N, we compute the period of the quantum 
function f(k) = \g k N), where k S {1, . . . ,m} for some multiple m of the order. This function can 
be computed efficiently since one can prepare the superposition \N) by Theorem ^, and for example 
we can take m as the order of g in G. Therefore by Lemma || one can find this period. 

Second, let g € G and let h\, . . . , h r £ G be pairwise commuting elements modulo N. generating 
some Abelian subgroup H < G/N . We compute the orders of the underlying elements on G/N 
using the previous method. Let the orders of h\, . . . , h r and g be si, . . . , s r and s, respectively. 
Then for a tuple (a±, . . . , a r ,a) from Z S1 x • • • x 7L Sr x Z s , set </>(ai, . . . , a r , a) = {h" 1 • ■ ■ h" r g~ a N). 
Then ^ is a homomorphism from Z Sl x • • • x Z Sr x Z s into C G / N . From Lemma H the kernel of 
(p can be computed in polynomial time by a quantum algorithm. Moreover it contains an element 
the last coordinate of which is relatively prime to s if and only if g is representable as a product of 
powers of h{S. Also, from such an element an expression for g in the desired form can be constructed 
efficiently using elementary number theory. □ 
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5 Groups with small commutator subgroups 



Assume that G is a black-box group with unique encoding of elements, and suppose that a subgroup 
H is hidden by a function /. Our next result states that one can solve the HSP in time polynomial 
in the input size + \G'\, where G 1 is the commutator subgroup of G. Let us recall the commutator 
subgroup is the smallest normal subgroup of G containing the commutators xyx~ 1 y~ 1 , for every 
x,y e G. 

Theorem 11. Let G be a black-box group with unique encoding of elements. The hidden subgroup 
problem in G can be solved by a quantum algorithm in time polynomial in the input size+ \G'\. 

Proof. Let H be a hidden subgroup of G defined by the function /. We start with the following 
observation. If N is a normal subgroup of G and H\ < H is such that H\ n N = H H N and 
HiN = HN, then by the isomorphism theorem, H X /{H f] N) = H\N/N ^ H/(H n N) which 
implies H\ = H. We will generate such a subgroup H\ < H for N = G' . 

As the commutator subgroup G' of G consists of products conjugates of commutators of the 
generators of G we can enumerate G' , and therefore also G' D H, in time polynomial in the 
input size + \G'\. We consider the function F : x ^ {f(xG')} = {f(xg)\g G G'} which can be 
computed by querying \G'\ times the function /. 

The function F hides the subgroup HG' . Note that HG' is normal since G/G' is Abelian. Thus 
by Theorem || we can find generators for HG' by a quantum algorithm in time polynomial in the 
size of the input + \G'\ since v{G / HG') = 1, because G/ HG' is Abelian. 

For each generator x of HG' , we enumerate all the elements of coset xG' and select an element 
of xG' n H. The cost of this step is again polynomial in the input size + \G'\. We take for H\ the 
subgroup of G generated by the selected elements and H CiG' . We get H\ n G' = H Pi G' , and by 
the definition of the selected elements H\G' = HG' . □ 

A group G is an extra-special p-group if its commutator subgroup G' coincides with its center, 
\G'\ = p, and moreover G/G' is an elementary Abelian p-group. Therefore we get the following 
corollary from the previous theorem. 

Corollary 12. The hidden subgroup problem in extra-special p-groups can be solved by a quantum 
algorithm in time polynomial in input size + p. 



6 Groups with a large elementary Abelian normal 2-subgroup 



Assume that N is an elementary Abelian normal 2-subgroup of a group G, and it is given by 
generators as part of the input. Our aim is to solve the HSP in G in the cases where G/N is either 
small or cyclic. Typical examples of groups of the latter type are matrix groups over a field of 
characteristic 2 of degree k + 1 generated by a single matrix of type (a), where the k x k sub- matrix 
in the upper left corner is invertible, together with several matrices of type (b): 



(a) 



Note that the class of groups of this kind include the wreath products iJ^ I %2 in which the hidden 
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subgroup problem has been shown to be solvable in polynomial time by Rotteler and Beth in [24]. 
Based on a technique inspired by the idea of Ettinger and H0yer used for the dihedral groups in 
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we solve the hidden subgroup problem in quantum polynomial time in this more general class 
of groups. 

Theorem 13. Let G be a black-box group with unique encoding of elements and N be a normal 
elementary Abelian 2-subgroup of G given by generators. Then the hidden subgroup problem in G 
can be solved by a quantum algorithm in time polynomial in the input size + \G/N\. If G/N is 
cyclic then the hidden subgroup problem can be solved in polynomial time. 

Proof. Let H be a subgroup of G hidden by the function /. The main line of the proof is like in 
Theorem [□]: we will generate H x < H which satisfies H\f\N = H C\N and H\N/N = HN/N (or 
equivalently H\N = HN). Again we start the generation of H\ with H(~)N which can be computed 
in polynomial time in the input size by Theorem || since N is Abelian. The additional generators 
of Hi will be obtained from a set V C G which, for every subgroup M < G/N (in particular, for 
M = HN/N), contains some generator set for M. For each z E V, we will verify if zN E HN 
(equivalently zH n iV ^ 8 or also zN n H ^ 0), and in the positive case we will find some u E N 
such that u~ 1 z E H. Both of these tasks will be reduced to the Abelian hidden subgroup problem, 
and the elements of the form u~ l z will be the additional generators of H x . 



If G/N is cyclic, we use Theorem 10 to find generators for the Sylow subgroups of G/N (note 
that v(G/N) = 1). Each Sylow will be cyclic (and unique), therefore a random element of the 
Sylow p-subgroup will be a generator with probability 1 — 1/p > 1/2. Note that one can check 
if the choosen element is really a generator by using the order finding procedure of Theorem [l(]. 
Then, for each p we choose a generator x p N for the Sylow p-subgroup after iterating the previous 
random choice. The p-subgroups of G/N are (x p N), {x P p N) = N/N, where p hp is the order of 
the Sylow p-subgroup of G/N. Let V stand for the union of the sets {1, x v , . . . , x p p } over all primes 
p dividing \G/N\. Note that \V\ = 0(log \G/N\), and the cost of constucting V is polynomial in 
the input size. V contains a generating set for an arbitray subgroup M of G/N because for each p, 
it contains a generator for the Sylow p-subgroup of M (namely x p p where l p is the smallest positive 
integer I such that x l p N E M). 

In the general case, let V be a complete set of coset representatives of G/N . V can be constructed 
by the following standard method. We start with the set V = {1}. In each round we adjoin to V 
a representative vg of a new coset, for each v E V and each generator g of G, if vg E" wN, for all 
w E V. This membership test can be achieved using a quantum algorithm for testing membership 
of w~ 1 vg in the commutative group N. The procedure stops if no new element can be added. 

Then, for each z E V \ {1}, we consider the function defined on Z2 x N as follows. For every 
x E N, let F(0,x) = f(x) and let F(l,x) = f(xz). Obviously, for i E {0,1} and x,y E N, 
F(i,x) = F(i,y) if and only if y~ l x E HnN, while F{0,x) = F(l,y) if and only if y~ l x E zHnN. 

We claim that zH n is either empty or a coset of H f] N in N. Indeed, if zH D N contains zh 
for some h E H, then zh(H n N) C zH n N, and conversely for all h! E H such that zh! E N , we 
have (zhy x zti = h~ l h' E HnN. It follows that in the group Z 2 xJV, F hides either {0} x (HnN) 
or {0} x (HnN) |J{1} x u(H n N) for some u E zH n N depending on whether zH n N is empty 
or not. Note that this set is indeed a subgroup because N is an elementary Abelian 2-group. We 
remark that u is determined only modulo HnN. 

As Z2 x N is Abelian, we can find generators for this hidden subgroup in quantum polynomial 
time. From any generator of type (1, u) we obtain an element u~ l z E zN n H. Repeating this, we 
collect elements in zN n H for each of z E V \ {1} such that z N n H ^ 0. Let Hi be the subgroup 
of G generated by the collected elements and by HnN. Then by construction Hi is a subgroup of 
H which satisfies the claimed properties. □ 
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